In this age of digital transformation, many organizations are eager to move to the cloud. However, it’s important to remember that not all clouds are created equal. One cloud may be designed using industry security best practices, and another may cut corners, placing your sensitive data at risk. There’s also the issue of scale. Organizations might start by using just one cloud provider, then quickly end up using dozens and even hundreds of different cloud providers. It’s up to companies to do their due diligence up front and at scale to find cloud providers that meet your security requirements.
Here are key questions you should ask cloud providers before adoption to ensure control and transparency are at the forefront of your cloud migration.
Do they fit your company’s size and security needs?
Many organizations are subject to a high degree of regulation and are frequently audited. The cloud provider must be able to demonstrate a proven track record of managing highly-controlled and regulated data. They should also have a comprehensive audit program in place to help your organization pass your own third-party and regulatory audits.
Can they keep up with change and risk?
Changes in cloud software happen so rapidly, that by the time your next annual vendor review comes around, the vendor may have hundreds of new features and may even have changed their entire technology stack. Ensuring there are key controls in place to manage this influx of change is critical. Otherwise, the constant changes open your organization up to unknown vulnerabilities. Organizations should require their cloud provider to notify them of any significant changes to the product. There should also be a clause in the contract which states that the cloud provider may not materially lessen the security controls during the term of the contract. This ensures that while there will be constant change, they can’t weaken the security program that you have previously reviewed and approved.
Many cloud providers have implemented a product council to discuss upcoming product features and evolving security policies. Asking to be a member of the cloud provider’s product council allows you to keep up to date and provide valuable feedback on the cloud provider’s roadmap. Many cloud providers also maintain product update blogs to inform their customers of new product changes. Signing up for these ensures you won’t miss any new features, like new activity API logs or Bring Your Own Key (BYOK) encryption models, that would allow you to further increase the security of your data in the cloud.
What visibility and control is available?
It is important that the organization continues to have full visibility into how its data is being stored, processed, accessed, and transmitted in the cloud. The service agreements with the cloud provider should clearly describe how the organization’s data is to be managed and protected in the cloud. Apart from strong contractual controls, the organization must have near real-time visibility into how its data is managed by the cloud provider. A continuous monitoring model will allow you to pull all logs into your own Security Operations Center (SOC) to look for anomalies or changes. In addition to transparency, control of your data is key. New features may be shipped every week, but you should have a choice in which features you want to enable and which features introduce a higher level of risk. Check if your cloud provider provides you with a self-service master feature switch, which would allow you to turn product features on and off. For example, you could enable a feature to support Multi Factor Authentication (MFA), but disable a new feature allowing your data to be shared by email with third parties. This master product feature switch capability enables you to manage your cloud in accordance with your own policies and not your cloud provider’s release cycle, which could expose your organization to unnecessary risk.
Cloud should be able to provide a far more secure model than legacy on-premise providers. However, you should do your due-diligence up front to select the enterprise cloud providers that can meet and exceed your security requirements. Otherwise, you may be left with unsophisticated cloud providers that can’t adequately protect your data, and your journey to the cloud could be a turbulent and costly one.